How to Protect Your Site From Becoming a Phishing Portal
You’ve heard of “phishing”, but do you know how it works, or why it does?
Follow this scenario to learn how:
- Frank the fisherman has a small bait shop with a basic WordPress website on a shared hosting account with just a simple little “about us page, a contact form, maybe a map of how to find him and a few blog posts from when he first built his website in 2011. His site looks nice, but he doesn’t get a ton of traffic, as his main target audience is primarily night fishermen within a 30 mile radius of his shop.
- Frank leaves his site alone and ignores any spam that his site generates, deleting it from his email account, or simply never checking it at all. Regardless, Frank rarely logs into his website, and even when he does, his developer only gave him editor privileges to make sure that Frank “doesn’t break anything”, preventing Frank from running updates (and most likely, preventing him from even knowing that updates are available).
- For 5 or 6 months, sometimes less, sometimes longer, Frank’s site goes unvisited. Frank doesn’t have much to talk about as the fishing industry hasn’t changed much in the past 1,000 years or so and most of the principles remain very much the same. He knows his site’s online, and doesn’t really have any reason to check it out, as he already knows it inside and out.
- Enter international novice script-kiddy and hacker, we’ll call him ‘Dick‘ … he’s learned from one of his forums that there is a vulnerability in WordPress 3.1, the same cutting edge platform that Franks website was built on a short year and a half ago, and he searches Google for a couple identifying characteristics of WordPress 3.1, and pulls up about 20 of them, and passes them out to a couple of his buddies in their forum, maybe suggesting a race or some other sort of competition to see who can compromise the site first, or whatever they want to make it fun… (did I mention that Dick is only 16?)
- So Dick and his buddies use Google, a couple guides in their forums and a few friends to hack these sites one night and decide that they are going to inject your site with a shiny new backdoor, allowing them to upload their files and maybe build another site on your server but, don’t worry, they’ll be sure not to disturb your website or your business, they’re just going to put these files over here in this other subfolder where they won’t be in the way…
- While they’re in there, maybe they go ahead and create little web page of their own, maybe something nice and professional looking… Let’s try to make it look really secure, you know, like a bank! Let’s make the web page look just like a bank web page, that will be really professional, and so they go ahead and they make their “professional” looking web page (or simply upload one of the thousands of illegal bank website clones and call it a day)
- Well, since we’re playing bank, we should go ahead and upload a couple forms that maybe look like Chase.com, or BofA.com, or whoever, and maybe while we are doing that, we might as well send out a couple emails to people telling them about this suspicious transaction that we were able to prevent before it went through on your bank account, you should probably login to verify and change your PIN and online password in case your account has been compromised, so hurry up and go to this link, or call this 800 number and we can help you right away!
- Dick and his buddies send this email out over a course of a couple hours (or weeks), to about 150-200,000 of their closest friends (aka victims), using your server and your hosting account, but don’t worry, they don’t have to setup an email account or anything like that, they’ll just use phpmailer or something so they can stay out of the way, and to help make sure that they don’t annoy anybody or pop-up on anybody’s radar, they’ll be sure to spread that load over a couple different servers and mask the originating email address, just to make sure that it looks official and they don’t bother anyone.
- So Dick sends their email to these people and your Grandma Ingrid is really happy that her account information is safe with her bank and logs in just to make sure that nothing has been compromised and that her life savings is exactly as it was last night. Unfortunately, she tries to login to the website and finds that the bank has been “receiving a huge amount of traffic lately and their website is down for maintenance” until whenever, and for immediate assistance please call 1-555-YOUR-BANK. So Grandma calls, and Dick or one of his buddies picks up the phone, and she verifies her social security number, credit card number, DOB and ZIP code, forwards her to his “fraud department” for further verification, and after a long conversation, they confirms with her that her account is secure, thanks her for her business and sends her on her way, skipping away with everything he needs to take everything she has.
- A couple weeks go by, and (not necessarily in this order)Google spiders Franks site again, to see if there has been any new content put on there and they find that there is! But there’s a complaint from some company called ‘RSA’ that says that this site is a phishing site and is not safe for people to browse to and Google decides to take it out of their search index and provide it with a fabulously shiny red page letting people know that basically, you’re a piece of shit and don’t like to take care of things and now people have moved into your garage and have started a prostitution, gun running and crack cocaine distribution center, while you were passed out with a bowl of Cheetos on your lap with your dirty diapered children running rampant with no shoes on up and down the driveway, right in front of these new hooligans you’ve been fraternizing with (or something like that). RSA shoots an email over to your web host telling them to shut Frank’s website down and send him an email about what an irresponsible web site owner he is to either:
- a.) Allow his website to get hacked
- b.)Host a phishing portal tricking people into giving him their login credentials for .
- Frank doesn’t check his emails, and weeks go by, his site’s been suspended, and one of his regulars comes in and says “hey, what happened to your website, it’s been down for a little while, I thought maybe you went out of business”. And Frank replies, “Huh? What? It should be up, I haven’t done anything to it”, but he still checks and finds out his site is down, so he calls his web hosting company, who tells him that they don’t really support scripts and code, they provide service for the servers, and though his site was hacked, it was an isolated incident related directly to poor design and web maintenance and he should probably consult with his web developer to get things in order. So he makes his next phone call to his web developer (the guy he hasn’t talked to in over a year and half) and is finds out he is out of business now. Seems that because his “developer” only charged him $300 for his site, he couldn’t afford to stay in the cheap website business and feed his wife and their two small children while working for 50-60 hours on a website and only charging him for 15-20 and now the guy has moved out of town and has a full time gig working at the Applebee’s, but for another couple hundred bucks, he’ll give it a crack and hopefully get him back up and running, but he’s definitely going to need the money up front.
- Nobody ever hears from Dick again, (and quite frankly, they don’t even try to find out who the guy is) Grandma Ingrid is out $400k, Frank looks like a fool and has to fork over some more money to fix his website either with this guy, or build a brand new site, the right way for a couple thousand more, the hosting company now keeps an eye on you because you’re a terrible website owner and you’ve lost a couple handfuls of faithful customers that thought you were out of business.
- This all might seem like an exaggeration, but when you host several thousand websites, these stores become pretty daily conversations. I can’t even begin to count the number of frustrated website owners I’ve dealt with that have had experiences just like this one, or even worse.